openwrt
luci-mod-network: Static Leases improvements
Under DHCP and DNS, Static Leases tab: Add extra fields and booleans Add 'ignore' value for ip field Add description text for fields Enable wildcards in mac addresses
Signed-off-by: Paul Dee [email protected]
Added macwildcard - MACs can contain wildcards e.g. *:*:*:*:*:* as specified in example dnsmasq.conf files, which enables e.g. MAC range matching.
e.g. the entry dhcp-host=11:22:33:44:55:66,set:red would be represented by
MAC: 11:22:33:44:55:66
Tag: red
while the entry dhcp-host=11:22:33:*:*:*,set:red would be:
MAC: 11:22:33:*:*:*
Tag: red
Do we accept contribution where is used GitHub's noreply address? :thinking:
Hello
This modification might fulfill the following feature request https://forum.openwrt.org/t/add-dns-setting-to-static-lease-configuration/151646
See also these other requests which somewhat relate
https://forum.openwrt.org/t/add-default-gateway-setting-to-static-lease-configuration/151644
I initially believe that a static DNS or Gateway could be assigned per device, but then I learned about the "tag" system
In this new change, it is great to see valid tags listed in the DHCP static lease dialog, however is there a way for the user to create new tags from the user interface or is the only way to manually edit /etc/config/dhcp ?
I think it would also help to suggest pre-made tags for example
deadend gateway (just don't provide internet access to a specific device) Gateway through a VPN Gateway through secondary WAN or multiwan DNS third party high security DNS (rather than ISP provided DNS) DNS through local server such as a pi-hole Gateway to Fakeinternet, for hostile devices which need to be contained Gateway to IP filtered connection (for instance windows devices which one would want to prevent to talking to any microsoft server via filter rules) Gateway to IP filtered ban list (block certain sites at certain time of day for only certain devices, similar to parental controls but enabled by DHCP/mac address filtering)
I think this covers most possible scenarios of common users. Having these as ready to go suggestions would empower users by making them realize what is possible and then helping them implementing those solutions quickly.
Looking forward to give this a try
Another thing I did not list in my above comment
However it is not part of the static lease configuration per say
Would be dhcp "white list mode"
Which would be a state where new, unknown devices are given a restricted or no internet access
In whitelist mode only whitelisted devices get full network access
When an unknown device connects to the network, there could be a status page notification to router admin about what to do about the device (full access, restricted internet, fakeinternet, segregate to quarantine subnet, segregate to hostile subnet)
This is to accomodate unknown and potentially hostile devices such as smart TVs, apple, android phones which will call home, export data and then download and execute unauthorized payloads when given free internet access.
Likewise, fakeinternet is to disable their own network capabilities when refused internet access.
I know that feels like an advanced feature that few people will use but, I think it all can be done with a few scripts and no extra software.
I think a default openwrt router should be able to handle hostile devices and work in hostile environement out of the box by just pressing a button
All of these options are possible when using tags.
I'm going to make a new PR soon to improve tag handling and management. Most of what you describe is made easier via tags and specific bits of config.
Tags are not limited to static leases. They can be used in lots of DHCP places.
Is there a way to assign a default tag to unknown devices ?
Also, like dynamic dns, I find that users have difficult time grasping how the whole thing works.
So I was thinking maybe we could have "mode" buttons to flip important config parameters of the dhcp server
However, the only modes I can think of right now is
default (all request given address out of the pool, default gateway, default dns, default timeserver)
and
whitelist (only requestors in the whitelist get a valid internet gateway,dns, the rest get invalid gateway(maybe fakeinternet), maybe no outside dns (can dnsmasq dns server discriminate clients this way) and maybe they even get their own, non routing subnet)
there are probably other modes for other situation I can't think of right now.
Also, it would be great to discriminate devices by type, apple, android, smart tv, IoT devices without having to explicitely tell the dhcp server what they are ? Maybe there exists somekind of ethernet mac address fingerprinting mechanism that could be used here (quickly leaving the scope of this issue here)
just throwing ideas here. Personnally all this comes from a time when I needed to connect an android device to have network access but without let it update its firmware, which would break my root access
Is there a way to assign a default tag to unknown devices ?
!known
Read the dnsmasq man page. You'll be enlightened.
Apparently, it is not possible to assign a default tag to unknown new and/or unknown old clients
The --dhcp-range apparently allows assigning a tag to a range
--dhcp-range=set:unknown,192.168.0.50,192.168.0.150,255.255.255.0,12h
but then, do known clients also get tagged as unknown ?
Does this means unknown clients cannot be on the same subnet and can never communicate (except through the router perhaps) ?
Also, does the openwrt user interface allow the user to apply this tag to the default range in an intuitive way ? (I don't have access to openwrt device at the moment but I don't recall seeing an option to this effect)
You can to do what you want today already:
Set a MAC, (or a wildcard MAC (or whatever tags) if you are using this code already), then set the leasetime to the keyword ignore.
With this code, or by manually editing the dhcp config, you can enter !known in the match_tag field.